CESA-2009-001 - rev 1 Linux syscall interception technologies partial bypass
2009-01-28T00:00:00
ID SECURITYVULNS:DOC:21249 Type securityvulns Reporter Securityvulns Modified 2009-01-28T00:00:00
Description
CESA-2009-001 - rev 1
[See all my vulnerabilities at http://scary.beasts.org/security]
[Blog if you want to subscribe to new findings is at http://scarybeastsecurity.blogspot.com/]
Linux syscall interception technologies partial bypass
Programs affected: Probably many; for example systrace with ptrace() backend.
Fixed: Systrace 1.6f for 32-bit build (but you are cautioned that ptrace() is not a security technology).
Severity: Syscall policy violation.
Various security technologies make use of syscall filtering. Such technologies are very powerful because they restrict a compromise not just in terms of access to files, networks and processes -- but also access to the rich kernel API (a great source of ring 0 bugs).
Syscall filtering technologies typically make an allow / deny decision based on the syscall (identified by a number) and sometimes also the exact arguments to the syscall. A vulnerability exists due to the identification of syscall by number. On 64-bit aware Linux kernels (x86_64), the syscall number can map to either the 32-bit or 64-bit syscall table. Since the syscall tables are different for 32-bit vs. 64-bit, and the user space process gets to control which table it hits, the syscall number check can often be fooled.
For example, a syscall filter technology might be monitoring a 64-bit process, and configured to allow some subset of the very common open() syscall. That's syscall number 2 in 64-bit land. However, the monitored process can switch to 32-bit mode and issue syscall 2. That appears to be open() to the monitor but will execute as fork() in the kernel - possibly leading to an unmonitored process.
Here is a sample piece of code which does a 32-bit syscall:
int
main(int argc, const char argv[])
{
/ Syscall 1 is exit on i386 but write on x86_64. */
asm volatile("movl $1, %eax\n"
"int $0x80\n");
for (;;);
}
When built 64-bit, and run under strace on my 64-bit machine, the difference in opinion on the syscall is apparent:
write(1, "\370V\355\365\377\177", 140737319359320 <unfinished ... exit status 208>
The monitor sees write() but the kernel sees (and executes!) exit().
Detecting this situation has some subtleties. Which syscall table the kernel hits depends on both the instruction used to trap into the kernel, and also the "long mode" bit in the current descriptor referred to by the code segment (CS) register. int80 and sysenter always cause a 32-bit syscall, but syscall looks at the descriptor. Therefore, to securely monitor a 32-bit process, it is sufficient just to validate that the CS register references a privileged 32-bit descriptor. Unfortunately, to securely monitor a 64-bit process, not only must the CS register be checked, but the instruction initiating the syscall must be checked. This involves reading user-space which is of course is subject to well-documented lethal race conditions when other processes which share writeable address space.
CESA-2009-001 - rev 1
Chris Evans
scarybeasts@gmail.com
{"id": "SECURITYVULNS:DOC:21249", "bulletinFamily": "software", "title": "CESA-2009-001 - rev 1 Linux syscall interception technologies partial bypass", "description": "CESA-2009-001 - rev 1\r\n\r\n\r\n[See all my vulnerabilities at http://scary.beasts.org/security]\r\n\r\n[Blog if you want to subscribe to new findings is at http://scarybeastsecurity.blogspot.com/]\r\n\r\nLinux syscall interception technologies partial bypass\r\n\r\nPrograms affected: Probably many; for example systrace with ptrace() backend.\r\nFixed: Systrace 1.6f for 32-bit build (but you are cautioned that ptrace() is not a security technology).\r\nSeverity: Syscall policy violation.\r\n\r\nVarious security technologies make use of syscall filtering. Such technologies are very powerful because they restrict a compromise not just in terms of access to files, networks and processes -- but also access to the rich kernel API (a great source of ring 0 bugs).\r\n\r\nSyscall filtering technologies typically make an allow / deny decision based on the syscall (identified by a number) and sometimes also the exact arguments to the syscall. A vulnerability exists due to the identification of syscall by number. On 64-bit aware Linux kernels (x86_64), the syscall number can map to either the 32-bit or 64-bit syscall table. Since the syscall tables are different for 32-bit vs. 64-bit, and the user space process gets to control which table it hits, the syscall number check can often be fooled.\r\n\r\nFor example, a syscall filter technology might be monitoring a 64-bit process, and configured to allow some subset of the very common open() syscall. That's syscall number 2 in 64-bit land. However, the monitored process can switch to 32-bit mode and issue syscall 2. That appears to be open() to the monitor but will execute as fork() in the kernel - possibly leading to an unmonitored process.\r\n\r\nHere is a sample piece of code which does a 32-bit syscall:\r\n\r\nint\r\nmain(int argc, const char* argv[])\r\n{\r\n /* Syscall 1 is exit on i386 but write on x86_64. */\r\n asm volatile("movl $1, %eax\n"\r\n "int $0x80\n");\r\n for (;;);\r\n}\r\n\r\nWhen built 64-bit, and run under strace on my 64-bit machine, the difference in opinion on the syscall is apparent:\r\n\r\nwrite(1, "\370V\355\365\377\177", 140737319359320 <unfinished ... exit status 208>\r\n\r\nThe monitor sees write() but the kernel sees (and executes!) exit().\r\n\r\nDetecting this situation has some subtleties. Which syscall table the kernel hits depends on both the instruction used to trap into the kernel, and also the "long mode" bit in the current descriptor referred to by the code segment (CS) register. int80 and sysenter always cause a 32-bit syscall, but syscall looks at the descriptor. Therefore, to securely monitor a 32-bit process, it is sufficient just to validate that the CS register references a privileged 32-bit descriptor. Unfortunately, to securely monitor a 64-bit process, not only must the CS register be checked, but the instruction initiating the syscall must be checked. This involves reading user-space which is of course is subject to well-documented lethal race conditions when other processes which share writeable address space.\r\n\r\n\r\nCESA-2009-001 - rev 1\r\nChris Evans\r\nscarybeasts@gmail.com ", "published": "2009-01-28T00:00:00", "modified": "2009-01-28T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:21249", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:29", "edition": 1, "viewCount": 1, "enchantments": {"score": {"value": -0.3, "vector": "NONE", "modified": "2018-08-31T11:10:29", "rev": 2}, "dependencies": {"references": [{"type": "mskb", "idList": ["KB953331", "KB2874216", "KB980408", "KB3191913", "KB981401", "KB2510690", "KB317244", "KB2501721", "KB2785908", "KB2526297"]}], "modified": "2018-08-31T11:10:29", "rev": 2}, "vulnersScore": -0.3}, "affectedSoftware": []}
{"rst": [{"lastseen": "2021-01-17T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **79[.]110.114.124** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **52**.\n First seen: 2021-01-16T03:00:00, Last seen: 2021-01-17T03:00:00.\n IOC tags: **scan, generic**.\nASN 21249: (First IP 79.110.112.0, Last IP 79.110.119.255).\nASN Name \"RUTILBGAS\" and Organisation \"\".\nASN hosts 19 domains.\nGEO IP information: City \"Varna\", Country \"Bulgaria\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-01-16T00:00:00", "id": "RST:608027C4-01AC-382F-AFEA-728433B50553", "href": "", "published": "2021-01-18T00:00:00", "title": "RST Threat feed. IOC: 79.110.114.124", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-17T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **79[.]110.112.210** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **22**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-01-17T03:00:00.\n IOC tags: **generic**.\nASN 21249: (First IP 79.110.112.0, Last IP 79.110.119.255).\nASN Name \"RUTILBGAS\" and Organisation \"\".\nASN hosts 19 domains.\nGEO IP information: City \"Varna\", Country \"Bulgaria\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:2016D235-F6CD-39C1-8B0F-9AA8A60B8376", "href": "", "published": "2021-01-18T00:00:00", "title": "RST Threat feed. IOC: 79.110.112.210", "type": "rst", "cvss": {}}, {"lastseen": "2020-12-09T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **onedrive[.]live.com/download?cid=4c3f5c65a99da195&resid=4c3f5c65a99da195%21249&authkey=abx7b-troomsh2s** in [RST Threat Feed](https://rstcloud.net/profeed) with score **46**.\n First seen: 2020-11-15T03:00:00, Last seen: 2020-12-09T03:00:00.\n IOC tags: **malware**.\nIt was found that the IOC is used by: **cloudeye, azorult**.\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-11-15T00:00:00", "id": "RST:D26D0C62-EA59-3C79-90A8-3562974849FA", "href": "", "published": "2020-12-10T00:00:00", "title": "RST Threat feed. IOC: onedrive.live.com/download?cid=4c3f5c65a99da195&resid=4c3f5c65a99da195%21249&authkey=abx7b-troomsh2s", "type": "rst", "cvss": {}}, {"lastseen": "2020-08-12T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **79[.]110.119.94** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **21**.\n First seen: 2020-06-24T03:00:00, Last seen: 2020-08-12T03:00:00.\n IOC tags: **generic**.\nASN 21249: (First IP 79.110.112.0, Last IP 79.110.119.255).\nASN Name \"RUTILBGAS\" and Organisation \"\".\nASN hosts 16 domains.\nGEO IP information: City \"Varna\", Country \"Bulgaria\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-06-24T00:00:00", "id": "RST:02C82FE7-2BD0-338D-A644-F4C03CE15F52", "href": "", "published": "2020-09-21T00:00:00", "title": "RST Threat feed. IOC: 79.110.119.94", "type": "rst", "cvss": {}}, {"lastseen": "2020-08-28T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **43[.]226.33.223** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **36**.\n First seen: 2020-07-31T03:00:00, Last seen: 2020-08-28T03:00:00.\n IOC tags: **malware**.\nASN 134762: (First IP 43.226.32.0, Last IP 43.226.47.255).\nASN Name \"CHINANETSICHUANCHENGDUMAN\" and Organisation \"CHINANET Sichuan province Chengdu MAN network\".\nASN hosts 21249 domains.\nGEO IP information: City \"\", Country \"China\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-07-31T00:00:00", "id": "RST:D6E92FC4-4482-3988-BBF4-6A78C17B31F5", "href": "", "published": "2020-08-29T00:00:00", "title": "RST Threat feed. IOC: 43.226.33.223", "type": "rst", "cvss": {}}, {"lastseen": "2020-08-26T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **43[.]226.152.5** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **27**.\n First seen: 2020-07-28T03:00:00, Last seen: 2020-08-26T03:00:00.\n IOC tags: **generic**.\nASN 134762: (First IP 43.226.144.0, Last IP 43.226.159.255).\nASN Name \"CHINANETSICHUANCHENGDUMAN\" and Organisation \"CHINANET Sichuan province Chengdu MAN network\".\nASN hosts 21249 domains.\nGEO IP information: City \"\", Country \"China\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-07-28T00:00:00", "id": "RST:3B785773-81B2-33C1-AD3F-27DA15B3C543", "href": "", "published": "2020-08-29T00:00:00", "title": "RST Threat feed. IOC: 43.226.152.5", "type": "rst", "cvss": {}}, {"lastseen": "2020-08-28T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **103[.]45.179.198** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **36**.\n First seen: 2020-07-31T03:00:00, Last seen: 2020-08-28T03:00:00.\n IOC tags: **malware**.\nASN 134762: (First IP 103.45.172.0, Last IP 103.45.191.255).\nASN Name \"CHINANETSICHUANCHENGDUMAN\" and Organisation \"CHINANET Sichuan province Chengdu MAN network\".\nASN hosts 21249 domains.\nGEO IP information: City \"\", Country \"China\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-07-31T00:00:00", "id": "RST:87DF955C-1D5D-3BE0-A92C-8CE8E4AEBB52", "href": "", "published": "2020-08-29T00:00:00", "title": "RST Threat feed. IOC: 103.45.179.198", "type": "rst", "cvss": {}}, {"lastseen": "2020-08-27T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **43[.]226.158.183** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **36**.\n First seen: 2020-08-16T03:00:00, Last seen: 2020-08-27T03:00:00.\n IOC tags: **generic**.\nASN 134762: (First IP 43.226.144.0, Last IP 43.226.159.255).\nASN Name \"CHINANETSICHUANCHENGDUMAN\" and Organisation \"CHINANET Sichuan province Chengdu MAN network\".\nASN hosts 21249 domains.\nGEO IP information: City \"\", Country \"China\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-08-16T00:00:00", "id": "RST:0F8C2569-3A84-3FEF-B9C6-34601C3D7EA5", "href": "", "published": "2020-08-28T00:00:00", "title": "RST Threat feed. IOC: 43.226.158.183", "type": "rst", "cvss": {}}, {"lastseen": "2020-08-25T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **103[.]45.179.194** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **40**.\n First seen: 2020-08-25T03:00:00, Last seen: 2020-08-25T03:00:00.\n IOC tags: **shellprobe**.\nASN 134762: (First IP 103.45.172.0, Last IP 103.45.191.255).\nASN Name \"CHINANETSICHUANCHENGDUMAN\" and Organisation \"CHINANET Sichuan province Chengdu MAN network\".\nASN hosts 21249 domains.\nGEO IP information: City \"\", Country \"China\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-08-25T00:00:00", "id": "RST:57EC3E15-F46B-339F-82D7-417A195DAD60", "href": "", "published": "2020-08-28T00:00:00", "title": "RST Threat feed. IOC: 103.45.179.194", "type": "rst", "cvss": {}}, {"lastseen": "2020-08-28T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **103[.]45.183.149** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **43**.\n First seen: 2020-08-28T03:00:00, Last seen: 2020-08-28T03:00:00.\n IOC tags: **generic**.\nASN 134762: (First IP 103.45.172.0, Last IP 103.45.191.255).\nASN Name \"CHINANETSICHUANCHENGDUMAN\" and Organisation \"CHINANET Sichuan province Chengdu MAN network\".\nASN hosts 21249 domains.\nGEO IP information: City \"\", Country \"China\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-08-28T00:00:00", "id": "RST:922C5330-34E7-382D-AEC0-D73D9E33DF65", "href": "", "published": "2020-08-28T00:00:00", "title": "RST Threat feed. IOC: 103.45.183.149", "type": "rst", "cvss": {}}], "cve": [{"lastseen": "2021-01-16T13:07:28", "description": "OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is an issue involving YAML parsing which can lead to post-auth remote code execution. In order to parse and process YAML files, OneDev uses SnakeYaml which by default (when not using `SafeConstructor`) allows the instantiation of arbitrary classes. We can leverage that to run arbitrary code by instantiating classes such as `javax.script.ScriptEngineManager` and using `URLClassLoader` to load the script engine provider, resulting in the instantiation of a user controlled class. For a full example refer to the referenced GHSA. This issue was addressed in 4.0.3 by only allowing certain known classes to be deserialized", "edition": 1, "cvss3": {}, "published": "2021-01-15T21:15:00", "title": "CVE-2021-21249", "type": "cve", "cwe": ["CWE-74"], "bulletinFamily": "NVD", "cvss2": {}, "cvelist": ["CVE-2021-21249"], "modified": "2021-01-15T21:15:00", "cpe": [], "id": "CVE-2021-21249", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-21249", "cvss": {"score": 0.0, "vector": "NONE"}, "cpe23": []}], "talos": [{"lastseen": "2021-01-05T21:23:33", "bulletinFamily": "info", "cvelist": ["CVE-2020-13576"], "description": "# Talos Vulnerability Report\n\n### TALOS-2020-1187\n\n## Genivia gSOAP WS-Addressing plugin code execution vulnerability\n\n##### January 5, 2021\n\n##### CVE Number\n\nCVE-2020-13576\n\n### Summary\n\nA code execution vulnerability exists in the WS-Addressing plugin functionality of Genivia gSOAP 2.8.107. A specially crafted SOAP request can lead to remote code execution. An attacker can send an HTTP request to trigger this vulnerability.\n\n### Tested Versions\n\nGenivia gSOAP 2.8.107\n\n### Product URLs\n\n<https://www.genivia.com/products.html#gsoap>\n\n### CVSSv3 Score\n\n9.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n\n### CWE\n\nCWE-680 - Integer Overflow to Buffer Overflow\n\n### Details\n\nThe gSOAP toolkit is a C/C++ library for developing XML-based web services. It includes several plugins to support the implementation of SOAP and web service standards. The framework also provides multiple deployment options including modules for both IIS and Apache, standalone CGI scripts and its own standalone HTTP service.\n\nOne of the many plugins provided by gSOAP includes the wsa plugin for supporting the WS-Addressing specification which provides an asynchronous mechanism for routing SOAP requests and responses. The specification includes a element for providing URI parameters to a number of different parts of both requests and responses. The URIs may include a username and password for the resource in a standard format. http://user:password@somehost.com A buffer overflow vulnerability existing in the parsing of these extra parameters.\n\nIt starts by looking for the `:` in the uri and assumes that if it\u2019s not part of `://` that is is the seperator between the username and password.\n \n \n 21234 s = strchr(endpoint, ':');\n 21235 if (s && s[1] == '/' && s[2] == '/') // Skip the :// part of the parameter\n 21236 s += 3;\n 21237 else // Assume it's the seperator and start from the beginning of the element\n 21238 s = endpoint; \n \n\nProcessing continues by trying to find the `@` to seperate the user:pass from the hostname. At this point, parsing of the username and password occurs assuming we have found both seperators (`@` and `:`)\n \n \n 21240 t = strchr(s, '@'); // attempts to find the seperator \n 21241\n 21242 if (t && *s != ':' && *s != '@')\n 21243 {\n 21244 size_t l = t - s + 1; // Calculate the size of the user:pass part of the string\n 21245 char *r = (char*)soap_malloc(soap, l); // Allocate enough storage to hold both the user and pass\n 21246 n = s - endpoint;\n 21247 if (r)\n 21248 {\n 21249 s = soap_decode(r, l, s, \":@\"); // s is still pointing to the beginning of the data in this element\n 21250 soap->userid = r; // r is now a copy of the user part of the string up to the :\n 21251 soap->passwd = SOAP_STR_EOS;\n 21252 if (*s == ':') // s now points to the : seperator\n 21253 {\n 21254 s++; // Step past the seperator and now we should be pointing to the password section\n 21255 if (*s != '@') // Make sure the password isn't empty\n 21256 {\n 21257 l = t - s + 1; // t points to the @ seperator so here we calculate the length of the password by subtracting between the two seperators\n 21258 r = r + strlen(r) + 1; // r currently points to the copied username so we skip past to copy the password into the same buffer.\n 21259 s = soap_decode(r, l, s, \"@\"); // l is now a very large number allowing us to write us much data to the head as we like and cleanly terminate the copy with an @\n 21260 soap->passwd = r;\n 21261 }\n 21262 }\n 21263 }\n 21264 s++;\n 21265 soap_strcpy(soap->endpoint + n, sizeof(soap->endpoint) - n, s);\n 21266 }\n \n\nHere the code makes an assumption about the order of the `:` and `@` seperators. It assumes that the `@` (`t`) is after `:`(`s`) and calculates the size for the second soap_decode based on this assumption. If the `:` comes after the `@`, this calculation causes the calculated size to be negative and wrap around and become a very large length value to `soap_decode` to parse the password.\n\nWithin soap_decode, an attempt to copy the data into a the new heap buffer occurs. As the length is a very large number and the counter is counting backwards, we are able to write an arbitrary amount of data past our destination buffer.\n \n \n 7919 soap_decode(char *buf, size_t len, const char *val, const char *sep)\n 7920 {\n 7921 const char *s;\n 7922 char *t = buf;\n 7923 size_t i = len;\n 7924 for (s = val; *s; s++)\n 7925 if (*s != ' ' && *s != '\\t' && !strchr(sep, *s))\n 7926 break;\n 7927 if (len > 0)\n 7928 {\n 7929 if (*s == '\"')\n 7930 {\n 7931 s++;\n 7932 \n 7933 while (*s && *s != '\"' && --i)\n 7934 *t++ = *s++;\n 7935 }\n \n\n### Crash Information\n \n \n Starting program: /gsoap-2.8/gsoap/samples/wsa/wsademo 8080\n [Thread debugging using libthread_db enabled]\n Using host libthread_db library \"/lib/x86_64-linux-gnu/libthread_db.so.1\".\n Server is running\n malloc(): memory corruption\n \n Program received signal SIGABRT, Aborted.\n __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51\n 51\t../sysdeps/unix/sysv/linux/raise.c: No such file or directory.\n (gdb) bt\n #0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51\n #1 0x00007ffff70af8b1 in __GI_abort () at abort.c:79\n #2 0x00007ffff70f8907 in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7ffff7225dfa \"%s\\n\") at ../sysdeps/posix/libc_fatal.c:181\n #3 0x00007ffff70ff97a in malloc_printerr (str=str@entry=0x7ffff722406e \"malloc(): memory corruption\") at malloc.c:5350\n #4 0x00007ffff7103a04 in _int_malloc (av=av@entry=0x7ffff745ac40 <main_arena>, bytes=bytes@entry=72) at malloc.c:3738\n #5 0x00007ffff710616c in __GI___libc_malloc (bytes=72) at malloc.c:3057\n #6 0x000055555556ddae in soap_malloc (soap=soap@entry=0x7ffff7fba010, n=56, n@entry=48) at stdsoap2_ssl.c:10428\n #7 0x000055555556de7f in soap_strdup (soap=soap@entry=0x7ffff7fba010, s=s@entry=0x555555589430 \"http://www.w3.org/2005/08/addressing/soap/fault\") at stdsoap2_ssl.c:2806\n #8 0x000055555557eedd in soap_try_connect_command (soap=soap@entry=0x7ffff7fba010, http_command=http_command@entry=2000,\n endpoint=endpoint@entry=0x55555579db40 \"http://%@AAAA:\", 'B' <repeats 186 times>..., action=action@entry=0x555555589430 \"http://www.w3.org/2005/08/addressing/soap/fault\")\n at stdsoap2_ssl.c:21486\n #9 0x0000555555582cdb in soap_connect_command (soap=soap@entry=0x7ffff7fba010, http_command=http_command@entry=2000,\n endpoints=0x55555579db40 \"http://%@AAAA:\", 'B' <repeats 186 times>..., action=0x555555589430 \"http://www.w3.org/2005/08/addressing/soap/fault\") at stdsoap2_ssl.c:21455\n #10 0x0000555555582de0 in soap_connect (soap=soap@entry=0x7ffff7fba010, endpoint=<optimized out>, action=<optimized out>) at stdsoap2_ssl.c:21408\n #11 0x0000555555562ebb in soap_wsa_fault_subcode_action (soap=soap@entry=0x7ffff7fba010, flag=flag@entry=1, faultsubcode=faultsubcode@entry=0x555555589856 \"wsa5:ActionNotSupported\",\n faultstring=faultstring@entry=0x555555589d50 \"The [action] cannot be processed at the receiver.\", faultdetail=faultdetail@entry=0x0, action=action@entry=0x0)\n at ../../plugin/wsaapi.c:1088\n #12 0x0000555555563145 in soap_wsa_fault_subcode (faultdetail=0x0, faultstring=0x555555589d50 \"The [action] cannot be processed at the receiver.\",\n faultsubcode=0x555555589856 \"wsa5:ActionNotSupported\", flag=1, soap=0x7ffff7fba010) at ../../plugin/wsaapi.c:1022\n #13 soap_wsa_sender_fault_subcode (faultdetail=0x0, faultstring=0x555555589d50 \"The [action] cannot be processed at the receiver.\", faultsubcode=0x555555589856 \"wsa5:ActionNotSupported\",\n soap=0x7ffff7fba010) at ../../plugin/wsaapi.c:1126\n #14 soap_wsa_error (soap=soap@entry=0x7ffff7fba010, fault=fault@entry=wsa5__ActionNotSupported, info=0x0) at ../../plugin/wsaapi.c:1428\n #15 0x0000555555563a7d in soap_wsa_set_error (soap=0x7ffff7fba010, c=0x55555579bbf0, s=0x55555579bc20) at ../../plugin/wsaapi.c:1623\n #16 0x000055555558535f in soap_set_fault (soap=soap@entry=0x7ffff7fba010) at stdsoap2_ssl.c:22051\n #17 0x00005555555861f3 in soap_send_fault (soap=0x7ffff7fba010) at stdsoap2_ssl.c:22314\n #18 0x00005555555588f3 in main (argc=2, argv=<optimized out>) at wsademo.c:85\n \n\n### Timeline\n\n2020-11-05 - Vendor Disclosure \n2020-12-16 - Vendor advised patch released on 2020-11-20 \n2021-01-05 - Public Release\n\n##### Credit\n\nDiscovered by a member of Cisco Talos. \n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2020-1188\n\nPrevious Report\n\nTALOS-2020-1186\n", "edition": 1, "modified": "2021-01-05T00:00:00", "published": "2021-01-05T00:00:00", "id": "TALOS-2020-1187", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1187", "title": "Genivia gSOAP WS-Addressing plugin code execution vulnerability", "type": "talos", "cvss": {"score": 0.0, "vector": "NONE"}}]}
